Add support for using CertFP to auth to the IRC server, and document it.

Signed-off-by: Eric S. Raymond <esr@thyrsus.com>

diff --git a/irkerd b/irkerd
index dd567e526a0c52521aaa237182d0867af5c14b9f..b47ff01435864f23bb21c72731d2188caa08e841 100755 (executable)
--- a/irkerd
+++ b/irkerd
@@ -233,13 +233,13 @@ class IRCServerConnection():
         self.master = master
         self.socket = None
 
-    def _wrap_socket(self, socket, target, cafile=None,
+    def _wrap_socket(self, socket, target, certfile=None, cafile=None,
                      protocol=ssl.PROTOCOL_TLSv1):
         try:  # Python 3.2 and greater
             ssl_context = ssl.SSLContext(protocol)
         except AttributeError:  # Python < 3.2
             self.socket = ssl.wrap_socket(
-                socket, cert_reqs=ssl.CERT_REQUIRED,
+                socket, certfile=certfile, cert_reqs=ssl.CERT_REQUIRED,
                 ssl_version=protocol, ca_certs=cafile)
         else:
             ssl_context.verify_mode = ssl.CERT_REQUIRED
@@ -948,6 +948,9 @@ if __name__ == '__main__':
     parser.add_argument(
         '-c', '--ca-file', metavar='PATH',
         help='file of trusted certificates for SSL/TLS')
+    parser.add_argument(
+        '-e', '--cert-file', metavar='PATH',
+        help='pem file used to authenticate to the server')
     parser.add_argument(
         '-d', '--log-level', metavar='LEVEL', choices=LOG_LEVELS,
         help='how much to log to the log file (one of %(choices)s)')
@@ -990,6 +993,7 @@ if __name__ == '__main__':
         nick_needs_number=re.search('%.*d', args.nick),
         password=args.password,
         cafile=args.ca_file,
+        certfile=args.cert_file,
         )
     LOG.info("irkerd version %s" % version)
     if args.immediate:

diff --git a/irkerd.xml b/irkerd.xml
index c3c68a23be4abe90c4f6dfc2d98a44b6d886783d..f0676c5e922f32807d395da10d1a7b7f821c7aa0 100644 (file)
--- a/irkerd.xml
+++ b/irkerd.xml
@@ -20,6 +20,7 @@
   <command>irkerd</command>
      <arg>-c <replaceable>ca-file</replaceable></arg>
      <arg>-d <replaceable>debuglevel</replaceable></arg>
+     <arg>-e <replaceable>cert-file</replaceable></arg>
      <arg>-l <replaceable>logfile</replaceable></arg>
      <arg>-n <replaceable>nick</replaceable></arg>
      <arg>-p <replaceable>password</replaceable></arg>
@@ -60,7 +61,7 @@ Examples:
 <para>If the channel part of the URL does not have one of the prefix
 characters <quote>#</quote>, <quote>&amp;</quote>, or
 <quote>+</quote>, a <quote>#</quote> will be prepended to it before
-shipping - <emphasis>unless</emphasis>the channel part has the suffix
+shipping - <emphasis>unless</emphasis> the channel part has the suffix
 ",isnick" (which is unconditionally removed).</para>
 
 <para>The host part of the URL may have a port-number suffix separated by a
@@ -137,6 +138,21 @@ joining a channel to log its traffic.</para>
 </listitem>
 </varlistentry>
 <varlistentry>
+<term>-e</term>
+<listitem><para>Takes a following filename in pem format and uses it
+to authenticate to the IRC server.  You must be connecting to the IRC server
+over SSL for this to function properly.  This is commonly known as
+<quote>CertFP.</quote>
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term>-e</term>
+<listitem><para>Takes a following filename in pem format and uses it
+to authenticate to the IRC server.  You must be connecting to the IRC server
+over SSL for this to function properly.  This is commonly known as <quote>CertFP.</quote>
+</para></listitem>
+</varlistentry>
+<varlistentry>
 <term>-l</term>
 <listitem><para>Takes a following filename, logs traffic to that file.
 Each log line consists of three |-separated fields; a numeric